1 2 Previous Next 10 Replies Latest reply on May 7, 2010 10:58 AM by rackroyd

    Rogue Sensor Deployment

      Can my ePO 4.5 server be a Rogue Sensor?  If not why then do I have 129 subnets listed as unmanaged and how did they get there.  I also have rogues showing on my dashboard. Please can someone explain this to me.

       

      Thank you.

        • 1. Re: Rogue Sensor Deployment
          JoeBidgood

          Hi...

           

          RSD gets information about the subnets from the information reported back by the agents - so any subnet that has an agent on it, and which is not covered by a sensor, will be listed as unmanaged. So if you don't have any sensors deployed at all, by definition all your subnets will be shown as uncovered.

           

          HTH -

           

          Joe

          • 2. Re: Rogue Sensor Deployment

            Hi Joe,

             

            I understand that. However, my epo server also has on the dashboard a pane that is titled Rogue System Interfaces By Subnet.  If there are no sensors out in my environment how does epo know these are rogue systems which they are in fact.

            • 3. Re: Rogue Sensor Deployment
              JoeBidgood

              Okay, that makes slightly less sense

              Can you post a screenshot of the detected systems page?

               

              Thanks -

               

              Joe

              • 4. Re: Rogue Sensor Deployment

                Joe please see attached file.  Thanks for all your help.

                • 5. Re: Rogue Sensor Deployment

                  We have the same thing in our enviornment. The ePO server sees everything that talks to it, and classifies it. So, in theory, all of the agents talking to it should be managed. However, we've found that when machines have multiple MAC addresses associated with them, either because of VPN, wireless cards, or some other networking hiccup, the server becomes confused. It labels one of the MAC addresses as rogue, even though it's getting the information from a managed agent residing on the device.

                   

                   

                  Message was edited by: Slingo on 5/7/10 8:00:34 AM GMT-05:00
                  • 6. Re: Rogue Sensor Deployment
                    JoeBidgood

                    Okay, definitely confusing

                    As far as I know it's not possible for ePO to flag machines as rogue unless they are detected by a sensor. Is it possible that you had a sensor active at some point and removed it? Or was this an upgrade from a previous version that may have had RSD data in the database?
                    Just trying to rule out the obvious first...

                     

                    Thanks -

                     

                    Joe

                    • 7. Re: Rogue Sensor Deployment

                      Can't speak for the OP, but there are no rogue sensors in our enviornment, and never have been. Additionally, there are new alerts coming in regularly, both managed devices and rogues. We had to add an accepted OUI to our database in order to get the VPN machines to stop being detected as rogue. That stopped the majority of our false rogue detections, but we still get things like this when real rogue devices are detected:

                       

                       

                       

                      Last Detected Time5/6/2010 17:49
                      Detection SourceMcAfee Agent

                       

                      It doesn't say which agent made the detection. I assume it's the ePO server because a normal agent shouldn't be able to act as a sensor

                      • 8. Re: Rogue Sensor Deployment
                        rackroyd

                        Something to note is that RSD 2.0 and RSD 4.5 server (not sensor) can view the McAfee Agent as a 'detection source'.

                        When the Agent checks in to the ePO server it will occasionally update the Detected System information with data from the Agent directly, this is reflected where the Detection Source shows as 'McAfee Agent'.

                        The Agent as a detection source check only happens once every 7 days, and is not currently configurable. It's my understanding you would not need an RSD sensor anywhere to see this.

                         

                        Perhaps this will help in understanding what's being seen here.

                         

                        Rgds,

                        • 9. Re: Rogue Sensor Deployment

                          That's very interesting. I was unaware that a standard agent without a sensor could behave that way.

                           

                          Currently, we have a ePO 4.5 p1 server with RSD extension 4.5.1.851. The vast majority of our agents are running MA 4.5. the situtation you're describing does seem to apply to our enviornment.

                           

                          I'm not sure I understand what sort of data the agent would be sending back? It's obviously reporting on more than just it's own configuration because we do see true rogue detections come through for a handful of other windows systems. But at the same time, it's obviously not an equivelent to a true RSD sensor because it would see a LOT more rogue devices (linux, cisco, etc.) if it did. I would even expect it to flag more windows devices than it currently does.

                           

                          Are there any sort of guidelines or KBs that explain how the MA evaluates and reports it's findings?

                           

                           

                          Message was edited by: Slingo on 5/7/10 10:13:03 AM GMT-05:00
                          1 2 Previous Next